Vulnerabilities

CVE-2026-33638

by Fred · 26/03/2026

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.

More information : https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681

Similar

Tags: Cybersecurity Alert